From 03f0b51fe454f8dbe77c302897f7a5899c4c5380 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Jun 2014 20:25:28 +0200 Subject: gpg: Limit keysize for unattended key generation to useful values. * g10/keygen.c (gen_elg): Enforce keysize 1024 to 4096. (gen_rsa): Enforce keysize 1024 to 4096. (gen_dsa): Enforce keysize 768 to 3072. -- It was possible to create 16k RSA keys in batch mode. In addition to the silliness of such keys, they have the major drawback that under GnuPG and Libgcrypt, with their limited amount of specially secured memory areas, the use of such keys may lead to an "out of secure memory" condition. --- g10/keygen.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/g10/keygen.c b/g10/keygen.c index af54c3f02..54d37d01b 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1378,11 +1378,16 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root, assert (is_ELGAMAL (algo)); - if (nbits < 512) + if (nbits < 1024) { nbits = 2048; log_info (_("keysize invalid; using %u bits\n"), nbits ); } + else if (nbits > 4096) + { + nbits = 4096; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } if ((nbits % 32)) { @@ -1428,7 +1433,7 @@ gen_dsa (unsigned int nbits, KBNODE pub_root, char nbitsstr[35]; char qbitsstr[35]; - if ( nbits < 512) + if (nbits < 768) { nbits = 2048; log_info(_("keysize invalid; using %u bits\n"), nbits ); @@ -1562,6 +1567,11 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root, nbits = 2048; log_info (_("keysize invalid; using %u bits\n"), nbits ); } + else if (nbits > 4096) + { + nbits = 4096; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } if ((nbits % 32)) { -- cgit v1.2.3